Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Hijacking Online Accounts Via Hacked Voicemail Systems

Proof-of-concept hack of a voicemail systems shows how it can lead to account takeovers multiple online services.

LEIPZIG, GERMANY – Voicemail systems are vulnerable to compromise via brute-force attacks against the four-digit personal identification numbers (PINs) that protect them. Researchers say a malicious user can thus access the voicemail system to then take over online accounts for services like WhatsApp, PayPal, LinkedIn and Netflix.

Martin Vigo, a mobile security expert who presented his research here on Thursday at 35C3, warns that PINs that protect voicemail systems are far easier to crack than traditional passwords are a weak link that can lead to hacked-account results.

“Automated phone calls are a common solution for password resets, account verification and other services,” Vigo said. “These can be compromised by leveraging old weaknesses and current technology to exploit this weakest link – voicemail systems.”

Inspired by early pioneers of phone phreaking, Vigo applied some of the same techniques to modern day voicemail hacking. Once compromised, the researcher said, a motivated attacker can simply listen to automated password reset messages sent by online services. Compromised voicemail systems can also be set up to play dual-tone multi frequency (DTMF) tones if password-reset systems require users to input a PIN.

To help assist Vigo in the voicemail account compromise, Vigo wrote an automated script that can brute-force crack most four-digit PINs used by voicemail systems without the phone’s owner ever knowing. He released code (minus the brute-force PIN cracking feature) to GitHub called Voicemailcracker.py, to help further research in this area.

In the demo on stage at the conference, Vigo showed how the system can work with the brute-force feature turned on and demonstrated how he was able to gain access to WhatsApp, PayPal and LinkedIn. Each of the services have since updated their PIN verification system to prevent similar attacks, he said.

“Voicemailcracker uses Twilio, a VOIP service that allows you to programmatically manage phone calls. Voicemailcracker then launches hundreds of phone calls at the same time to interact with voicemail systems and bruteforce the PIN – all without the target’s knowledge of the attack,” he said.

The researcher discussed other means of launching attacks without the user’s knowledge such as carrying out the assault when the user is on a plane or using backdoor access to a users voicemail system that doesn’t require calling the target directly.

The researcher said he has contacted vulnerable online services and telecom providers and made them aware of the weakness.

He advises consumers not to use easy-to-guess PIN numbers, such as birth year or simple number patterns. For online services, he recommends them not use automated calls for security purposes. And he recommends carriers not allow users to use DTMF tones for greetings and to ban users from using easy-to-guess PINs.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.